Profile Applicability:

  • Level 1

Description:

Amazon DocumentDB provides storage encryption to protect data at rest. By default, DocumentDB clusters are encrypted using AWS Key Management Service (KMS). This SOP ensures that the storage encryption is enabled for DocumentDB clusters, which helps protect sensitive data from unauthorized access and ensures compliance with data protection standards.

Rationale:

  • Data Protection: Enabling encryption helps ensure that the data at rest within DocumentDB clusters is protected and cannot be accessed by unauthorized parties.

  • Compliance: Encryption at rest is often required for compliance with standards such as HIPAA, PCI-DSS, and SOC 2.

  • Security: Protects sensitive customer data and intellectual property from data breaches, providing an additional layer of security for critical applications.

Impact:

Pros:

  • Enhanced Security: Encryption ensures that data is secure from unauthorized access while at rest in DocumentDB.

  • Compliance: Meets regulatory and compliance requirements for encryption at rest.

  • Data Integrity: Provides assurances that data is not altered or compromised while stored in the database.

Cons:

  • Performance Overhead: Encryption can introduce a slight performance overhead when reading and writing data, although this impact is typically minimal with AWS-managed encryption.

  • Cost: Depending on the configuration and data size, there may be additional costs associated with KMS usage.

Default Value:

By default, DocumentDB clusters are encrypted at rest using AWS KMS if encryption is enabled at the time of creation. Encryption cannot be enabled or modified after the cluster is created, so it must be configured at creation time.

Pre-requisite:

  • AWS IAM Permissions:

    • rds:DescribeDBClusters

    • rds:DescribeDBInstances

    • kms:ListAliases

  • AWS CLI installed and configured.

  • Ensure that you have permissions to access DocumentDB and KMS resources.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB under Services.

  3. In the DocumentDB Dashboard, go to Clusters.

  4. Select the DocumentDB cluster you want to check.

  5. In the Configuration tab, under the Encryption section, verify if Encryption at Rest is enabled.

    • If encryption is enabled, it will show Encrypted under the Encryption section.

    • If encryption is not enabled, it will show Not Encrypted.

  6. If Encryption is not enabled, the cluster will need to be deleted and recreated with encryption enabled.

Using AWS CLI:

  1. To check if encryption is enabled for a DocumentDB cluster, run the following command:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'

  2. Review the output:

  • If StorageEncrypted is true, encryption is enabled for the cluster.

  • If StorageEncrypted is false, encryption is not enabled.

  1. To check the KMS Key used for encryption, run:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,KmsKeyId:KmsKeyId}'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon DocumentDB.

  2. In the DocumentDB Dashboard, select Clusters and choose the DocumentDB cluster for which you want to verify encryption.

  3. Under the Configuration tab, verify the Encryption section.

    • If encryption is not enabled, delete the existing DocumentDB cluster and proceed with creating a new one.

  4. When creating the new cluster, ensure that the Enable Encryption checkbox is selected, and a KMS Key is specified.

Using AWS CLI:

  1. To enable encryption for a new DocumentDB cluster, use the following command when creating the cluster:

    aws rds create-db-cluster --db-cluster-identifier <db-cluster-id> --engine docdb --master-username <username> --master-user-password <password> --kms-key-id <kms-key-id> --enable-cloudwatch-logs-exports <logs-to-export> --apply-immediately

  2. To check if encryption is enabled after creation, use:

    aws rds describe-db-clusters --query 'DBClusters[*].{ClusterIdentifier:DBClusterIdentifier,StorageEncrypted:StorageEncrypted}'

Backout Plan:

Using AWS Console:

  1. If enabling encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon DocumentDB and select the new cluster created with encryption enabled.

  3. Delete the cluster (note that encryption cannot be disabled once it is set for the cluster, so a new cluster will need to be created without encryption).

  4. Recreate the cluster without enabling storage encryption if necessary.

Using AWS CLI:

  1. To delete the new cluster created with encryption enabled, run:

    aws docdb delete-db-cluster --db-cluster-identifier <NEW_CLUSTER_ID> --skip-final-snapshot

  2. Recreate the cluster without encryption if needed:

    aws docdb create-db-cluster --db-cluster-identifier <NEW_CLUSTER_ID> --engine docdb --master-username

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.